CVE-2025-22763 in Brizy Pro Plugininfo

Summary

by MITRE • 01/21/2025

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Brizy Pro allows Reflected XSS. This issue affects Brizy Pro: from n/a through 2.6.1.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 08/08/2025

The CVE-2025-22763 vulnerability represents a critical cross-site scripting flaw in the NotFound Brizy Pro web application framework that enables reflected XSS attacks. This vulnerability specifically impacts versions ranging from an unspecified starting point through version 2.6.1, creating a significant security risk for users operating within these software versions. The flaw occurs during the web page generation process where input validation and sanitization mechanisms fail to properly neutralize user-supplied data before incorporating it into dynamically generated web content.

The technical nature of this vulnerability stems from inadequate input handling within the Brizy Pro platform's content rendering engine. When users submit data through various input vectors such as URL parameters, form fields, or API endpoints, the application fails to properly sanitize or escape this data before displaying it within web pages. This allows malicious actors to inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or arbitrary code execution. The reflected nature of this XSS vulnerability means that the malicious script is reflected off the web server rather than being stored, making it particularly challenging to detect and prevent.

The operational impact of this vulnerability extends beyond simple data theft or session manipulation. Attackers can exploit this flaw to redirect users to malicious websites, steal sensitive cookies and authentication tokens, or even perform actions on behalf of authenticated users. The vulnerability affects the core functionality of the Brizy Pro platform, potentially compromising all user data and system integrity. Organizations using affected versions face significant risk of unauthorized access, data breaches, and potential regulatory compliance violations. The reflected XSS characteristic means that attacks can be delivered through phishing emails, malicious links, or compromised websites that redirect users to vulnerable endpoints.

Security professionals should immediately implement mitigations including input validation, output encoding, and proper content security policy implementation. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and follows ATT&CK techniques related to initial access through malicious web content and execution through browser-based attacks. Organizations should prioritize updating to the latest stable version of Brizy Pro where this vulnerability has been patched, while also implementing additional defensive measures such as web application firewalls, strict input validation, and comprehensive security monitoring. The vulnerability demonstrates the critical importance of proper input sanitization in web applications and highlights the need for continuous security assessments to identify and remediate similar flaws in content management systems and web frameworks.

Responsible

Patchstack

Reservation

01/07/2025

Disclosure

01/21/2025

Moderation

accepted

CPE

ready

EPSS

0.00224

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!